In your example you are altering the behavior of the query based upon input which does not affect injection attacks. The idea of protecting against injection attacks is to stop invalid values from being executed within the query/SP.
Take for example this query: delete from customer where customerId = 1 if this query were parameterized from CF without cfqueryparam you would have: delete from customer where customerId = #customerId# If someone were trying to inject sql they could inject "1;drop customers;" as the parameter and without the queryparam, it would be executed literally as the following and drop the customers table: delete from customer where lastname = 1; drop customers; To prevent this we utilize cfqueryparam which parameterizes the query that is passed. As I understand it, this informs the database that the value being passed is of a specific datatype. So in the previous example: delete from customer where customerId = <cfqueryparam value="#customerId#" cfsqltype="cf_sql_integer" null="false" /> In essense, the database sees this as: declare @custId int set @custId = 1 delete from customer where customerId = @custId This has the benefit of not allowing the additional SQL to be injected, and I just learned recently, it also creates a parameterized query which on SQL server creates a cached query execution plan, minimially increasing performance. HTH, Rich ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309467 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
